N Korean Cyber Attacks Continue Despite Peace Talks

Uploaded on 2018-06-01 in INTELLIGENCE-Hot Spots-North Korea, GOVERNMENT-National, FREE TO VIEW, NEWS-Cybersecurity News, TECHNOLOGY--Hackers

As Kim Jong-un speaks publicly about nuclear disarmament, North Korea’s hacker army continues to launch cyber-attacks against different businesses across Asia, Europe and the US, according to private sector analysts and former US officials.

Experts from several cybersecurity firms, Dell SecureWorks, McAfee, Symantec, FireEye and Recorded Future, all say that activity from North Korea has stayed steady or grown in volume since peace talks gained steam earlier this year.

The activities of these Pyongyang-linked hacking groups largely focuses on financial theft and covertly stealing digital secrets. While affected companies have quietly dealt with the onslaught in recent months, their contracted cybersecurity firms confidentially collected and studied recent malware samples that show the North Koreans are still actively developing new iterations of their toolsets.

“Similar to operations conducted prior to that date [circa January], North Korean actors have engaged in broad cyber espionage using a Destover-variant tool, developed and deployed malicious Android applications, and developed more destructive malware,” said Priscilla Moriuchi, a threat intelligence expert with Recorded Future and former NSA analyst focused on East Asia.

“We have seen a heavy concentration of targeting in Southeast Asia and the United States, with some cross over into the Middle East,” McAfee Senior Researcher Ryan Sherstobitoff said. “We have even seen an entire country’s financial sector targeted by Hidden Cobra during this period.”

Hidden Cobra is one of the nicknames assigned by the US government to North Korea’s hacking activities; other names authored by the private sector include “Lazarus Group,” “Blue Nortoff” and “Red Eyes.”

Recently, the Department of Homeland Security and Federal Bureau of Investigation released a joint alert-about the spread of a specific malware variant that’s been widely associated with Hidden Cobra since at least 2009. It’s not clear if a recent breach prompted the new DHS-FBI alert. But experts say it wouldn’t be surprising.

“The group continues to use implants such as Bankshot and newly created hybrid Trojans based on previous notable activity,” described Sherstobitoff, referencing a type of malware that infected Turkey’s banking system. 

“The TTPs (Tactics Tools and Procedures) have not changed much, only to the degree that targeting appears to extend more beyond the borders of South Korea … The underlying goals have always remained the same: financial and classic data collection in support of intelligence operations.”

The findings, as disclosed to CyberScoop, provide a stark reminder that North Korea remains highly dependent on cybercrime for both financial and geopolitical gain, so much so in that they’re willing to risk angering foreign governments amid a diplomatic push.

“During the past few months we’ve seen Lazarus conduct attacks on financial organizations, with the intention of attempting bank heists,” said Vikram Thakur of Symantec’s Security Response team. “The volume of these attacks is not massive but the trend reflects a small uptick in overall attacks and attempts of financial fraud.”

The diplomatic talks regarding North Korea involve several key countries, including China, Russia, South Korea and the US. A number of research teams see the US and South Korea still being targeted.

“During the timeframe, North Korea had been focusing their attention to South Korean targets, specifically North Korean defectors and related organizations for intelligence gathering,” a spokesperson for SecureWorks’ Counter Threat Unit said. 

“Based on targeting select victims, it appears that the North Korean government is keen to acquire information that could affect current peace process … We have not directly observed but are aware of phishing lures containing topics concerning current peace talks.”

North Korea’s use of these diplomatically inspired phishing emails was not previously known. How the small, resource-strapped nation will move away from this type of behavior if it is to improve foreign partnerships is an open-ended question, experts say.

The challenge is especially significant because of the decentralized nature of North Korea’s hacking units. Prior reporting by Bloomberg showed that Pyongyang was able to establish small teams of hackers in Southeast Asia in order to pursue official and unofficial criminal schemes. This loose structure would conceivable make operations difficult to suddenly wind down.

“DPRK cyber espionage operations continue to increase in scope and sophistication, developing new offensive capabilities and leveraging zero day vulnerabilities,”

So said Cristiana Brafman Kittner, principal security analyst at FireEye. These financially motivated intrusions have continued during the run up to a potential Kim, Trump summit.”

On Wednesday, top North Korean and US government officials met in Singapore to discuss next steps in the negotiations, according to The Washington Post. Cybersecurity did not appear to be a topic of conversation.

The meeting was held to organize a potential upcoming summit between Kim and President Donald Trump. In the past, a noticeable spike in malware detections inside of North Korea have followed these types of meetings.

New Jersey-based cyber-security firm Comodo saw an increase following a meeting between Secretary of State Mike Pompeo and Kim on May 9.

Such detections could suggest one of two things: that the country is itself being hacked or that hackers inside North Korea are testing their own tools internally before operating abroad.

CyberScoop

You Might Also Read: 

North Korea's Cyber Soldiers Are Concealed Abroad:

N Korea Is A Bigger Cyber Threat Than Russia:


 

 

« Quantum Computing - What You Should Know
Japan’s Secret Spy Agency »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CFC Underwriting

CFC Underwriting

CFC is a specialist insurance provider and a pioneer in emerging risk, including cyber insurance.

Oodrive

Oodrive

Oodrive is the first trusted European collaborative suite allowing users to collaborate, communicate and streamline business with transparent tools that ensure security.

NNIT

NNIT

NNIT​ is one of Denmark’s leading consultancies in IT development, implementation and operations, including cyber security.

DataProtect

DataProtect

DataProtect is a specialized information security company providing consultancy, information management, integration and training services.

Intel Capital

Intel Capital

Intel Capital, Intel's strategic investment organization, backs innovative technology startups and companies worldwide. We invest in a broad range of hardware, software, and services.

Y-PARC

Y-PARC

Y-PARC is a center of excellence for cybersecurity, precision industries and medtech, fostering innovation and development and support for startups.

CONCORDIA

CONCORDIA

Concordia is a Cybersecurity Competence Network with leading research, technology, and competences to build the European Secure, Resilient and Trusted Ecosystem.

Stratosphere Networks

Stratosphere Networks

Stratosphere Networks offer managed cybersecurity services rooted in Managed Detection and Response and Security Operations Center services that our team can tailor to meet your needs.

Silent Sector

Silent Sector

Silent Sector is a cybersecurity services company that specializes in providing a wide range of managed security services.

Cybots Pte Ltd

Cybots Pte Ltd

Cybots is a multinational cyber defence brand founded in Singapore in 2018 to help organizations stay ahead of increasingly sophisticated threats from cyber criminals.

Redbot Security

Redbot Security

Redbot Security provides industry leading manual penetration testing. Protecting critical systems and data - red team attack and breach simulations, (OT) critical infrastructure testing.

Acumera

Acumera

Acumera is a leader in managed network security, visibility and automation services.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.

Var Group

Var Group

Var Group is one of the main partners for innovation in the ICT sector in Italy.

ARC Risk and Compliance

ARC Risk and Compliance

ARC Risk and Compliance is a consulting company comprised of a team of AML Specialists completely focused on anti-money laundering compliance and the technologies used to support compliance programs.

AI Safety Institute (AISI)

AI Safety Institute (AISI)

The AI Safety Institute’s mission is to minimise surprise to the UK and humanity from rapid and unexpected advances in AI.